npm - @concavejs/runtime-node - Versions diffs - 0.0.1-alpha.12 → 0.0.1-alpha.13 - Mend

@concavejs/runtime-node 0.0.1-alpha.12 → 0.0.1-alpha.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.js CHANGED Viewed

@@ -2860,6 +2860,113 @@ var init_base64url = __esm(() => {
   init_buffer_utils();
 });
+// ../../node_modules/jose/dist/webapi/lib/crypto_key.js
+function getHashLength(hash) {
+  return parseInt(hash.name.slice(4), 10);
+}
+function checkHashLength(algorithm, expected) {
+  const actual = getHashLength(algorithm.hash);
+  if (actual !== expected)
+    throw unusable(`SHA-${expected}`, "algorithm.hash");
+}
+function getNamedCurve(alg) {
+  switch (alg) {
+    case "ES256":
+      return "P-256";
+    case "ES384":
+      return "P-384";
+    case "ES512":
+      return "P-521";
+    default:
+      throw new Error("unreachable");
+  }
+}
+function checkUsage(key, usage) {
+  if (usage && !key.usages.includes(usage)) {
+    throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
+  }
+}
+function checkSigCryptoKey(key, alg, usage) {
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512": {
+      if (!isAlgorithm(key.algorithm, "HMAC"))
+        throw unusable("HMAC");
+      checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "RS256":
+    case "RS384":
+    case "RS512": {
+      if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5"))
+        throw unusable("RSASSA-PKCS1-v1_5");
+      checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "PS256":
+    case "PS384":
+    case "PS512": {
+      if (!isAlgorithm(key.algorithm, "RSA-PSS"))
+        throw unusable("RSA-PSS");
+      checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+      break;
+    }
+    case "Ed25519":
+    case "EdDSA": {
+      if (!isAlgorithm(key.algorithm, "Ed25519"))
+        throw unusable("Ed25519");
+      break;
+    }
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87": {
+      if (!isAlgorithm(key.algorithm, alg))
+        throw unusable(alg);
+      break;
+    }
+    case "ES256":
+    case "ES384":
+    case "ES512": {
+      if (!isAlgorithm(key.algorithm, "ECDSA"))
+        throw unusable("ECDSA");
+      const expected = getNamedCurve(alg);
+      const actual = key.algorithm.namedCurve;
+      if (actual !== expected)
+        throw unusable(expected, "algorithm.namedCurve");
+      break;
+    }
+    default:
+      throw new TypeError("CryptoKey does not support this operation");
+  }
+  checkUsage(key, usage);
+}
+var unusable = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`), isAlgorithm = (algorithm, name) => algorithm.name === name;
+// ../../node_modules/jose/dist/webapi/lib/invalid_key_input.js
+function message(msg, actual, ...types) {
+  types = types.filter(Boolean);
+  if (types.length > 2) {
+    const last = types.pop();
+    msg += `one of type ${types.join(", ")}, or ${last}.`;
+  } else if (types.length === 2) {
+    msg += `one of type ${types[0]} or ${types[1]}.`;
+  } else {
+    msg += `of type ${types[0]}.`;
+  }
+  if (actual == null) {
+    msg += ` Received ${actual}`;
+  } else if (typeof actual === "function" && actual.name) {
+    msg += ` Received function ${actual.name}`;
+  } else if (typeof actual === "object" && actual != null) {
+    if (actual.constructor?.name) {
+      msg += ` Received an instance of ${actual.constructor.name}`;
+    }
+  }
+  return msg;
+}
+var invalidKeyInput = (actual, ...types) => message("Key must be ", actual, ...types), withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);
 // ../../node_modules/jose/dist/webapi/util/errors.js
 var exports_errors = {};
 __export(exports_errors, {
@@ -2884,8 +2991,8 @@ var init_errors2 = __esm(() => {
   JOSEError = class JOSEError extends Error {
     static code = "ERR_JOSE_GENERIC";
     code = "ERR_JOSE_GENERIC";
-    constructor(message, options) {
-      super(message, options);
+    constructor(message2, options) {
+      super(message2, options);
       this.name = this.constructor.name;
       Error.captureStackTrace?.(this, this.constructor);
     }
@@ -2896,8 +3003,8 @@ var init_errors2 = __esm(() => {
     claim;
     reason;
     payload;
-    constructor(message, payload, claim = "unspecified", reason = "unspecified") {
-      super(message, { cause: { claim, reason, payload } });
+    constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
+      super(message2, { cause: { claim, reason, payload } });
       this.claim = claim;
       this.reason = reason;
       this.payload = payload;
@@ -2909,8 +3016,8 @@ var init_errors2 = __esm(() => {
     claim;
     reason;
     payload;
-    constructor(message, payload, claim = "unspecified", reason = "unspecified") {
-      super(message, { cause: { claim, reason, payload } });
+    constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
+      super(message2, { cause: { claim, reason, payload } });
       this.claim = claim;
       this.reason = reason;
       this.payload = payload;
@@ -2927,8 +3034,8 @@ var init_errors2 = __esm(() => {
   JWEDecryptionFailed = class JWEDecryptionFailed extends JOSEError {
     static code = "ERR_JWE_DECRYPTION_FAILED";
     code = "ERR_JWE_DECRYPTION_FAILED";
-    constructor(message = "decryption operation failed", options) {
-      super(message, options);
+    constructor(message2 = "decryption operation failed", options) {
+      super(message2, options);
     }
   };
   JWEInvalid = class JWEInvalid extends JOSEError {
@@ -2954,145 +3061,34 @@ var init_errors2 = __esm(() => {
   JWKSNoMatchingKey = class JWKSNoMatchingKey extends JOSEError {
     static code = "ERR_JWKS_NO_MATCHING_KEY";
     code = "ERR_JWKS_NO_MATCHING_KEY";
-    constructor(message = "no applicable key found in the JSON Web Key Set", options) {
-      super(message, options);
+    constructor(message2 = "no applicable key found in the JSON Web Key Set", options) {
+      super(message2, options);
     }
   };
   JWKSMultipleMatchingKeys = class JWKSMultipleMatchingKeys extends JOSEError {
     [Symbol.asyncIterator];
     static code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
     code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
-    constructor(message = "multiple matching keys found in the JSON Web Key Set", options) {
-      super(message, options);
+    constructor(message2 = "multiple matching keys found in the JSON Web Key Set", options) {
+      super(message2, options);
     }
   };
   JWKSTimeout = class JWKSTimeout extends JOSEError {
     static code = "ERR_JWKS_TIMEOUT";
     code = "ERR_JWKS_TIMEOUT";
-    constructor(message = "request timed out", options) {
-      super(message, options);
+    constructor(message2 = "request timed out", options) {
+      super(message2, options);
     }
   };
   JWSSignatureVerificationFailed = class JWSSignatureVerificationFailed extends JOSEError {
     static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
     code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
-    constructor(message = "signature verification failed", options) {
-      super(message, options);
+    constructor(message2 = "signature verification failed", options) {
+      super(message2, options);
     }
   };
 });
-// ../../node_modules/jose/dist/webapi/lib/crypto_key.js
-function getHashLength(hash) {
-  return parseInt(hash.name.slice(4), 10);
-}
-function getNamedCurve(alg) {
-  switch (alg) {
-    case "ES256":
-      return "P-256";
-    case "ES384":
-      return "P-384";
-    case "ES512":
-      return "P-521";
-    default:
-      throw new Error("unreachable");
-  }
-}
-function checkUsage(key, usage) {
-  if (usage && !key.usages.includes(usage)) {
-    throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
-  }
-}
-function checkSigCryptoKey(key, alg, usage) {
-  switch (alg) {
-    case "HS256":
-    case "HS384":
-    case "HS512": {
-      if (!isAlgorithm(key.algorithm, "HMAC"))
-        throw unusable("HMAC");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "RS256":
-    case "RS384":
-    case "RS512": {
-      if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5"))
-        throw unusable("RSASSA-PKCS1-v1_5");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "PS256":
-    case "PS384":
-    case "PS512": {
-      if (!isAlgorithm(key.algorithm, "RSA-PSS"))
-        throw unusable("RSA-PSS");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable(`SHA-${expected}`, "algorithm.hash");
-      break;
-    }
-    case "Ed25519":
-    case "EdDSA": {
-      if (!isAlgorithm(key.algorithm, "Ed25519"))
-        throw unusable("Ed25519");
-      break;
-    }
-    case "ML-DSA-44":
-    case "ML-DSA-65":
-    case "ML-DSA-87": {
-      if (!isAlgorithm(key.algorithm, alg))
-        throw unusable(alg);
-      break;
-    }
-    case "ES256":
-    case "ES384":
-    case "ES512": {
-      if (!isAlgorithm(key.algorithm, "ECDSA"))
-        throw unusable("ECDSA");
-      const expected = getNamedCurve(alg);
-      const actual = key.algorithm.namedCurve;
-      if (actual !== expected)
-        throw unusable(expected, "algorithm.namedCurve");
-      break;
-    }
-    default:
-      throw new TypeError("CryptoKey does not support this operation");
-  }
-  checkUsage(key, usage);
-}
-var unusable = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`), isAlgorithm = (algorithm, name) => algorithm.name === name;
-// ../../node_modules/jose/dist/webapi/lib/invalid_key_input.js
-function message(msg, actual, ...types) {
-  types = types.filter(Boolean);
-  if (types.length > 2) {
-    const last = types.pop();
-    msg += `one of type ${types.join(", ")}, or ${last}.`;
-  } else if (types.length === 2) {
-    msg += `one of type ${types[0]} or ${types[1]}.`;
-  } else {
-    msg += `of type ${types[0]}.`;
-  }
-  if (actual == null) {
-    msg += ` Received ${actual}`;
-  } else if (typeof actual === "function" && actual.name) {
-    msg += ` Received function ${actual.name}`;
-  } else if (typeof actual === "object" && actual != null) {
-    if (actual.constructor?.name) {
-      msg += ` Received an instance of ${actual.constructor.name}`;
-    }
-  }
-  return msg;
-}
-var invalidKeyInput = (actual, ...types) => message("Key must be ", actual, ...types), withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);
 // ../../node_modules/jose/dist/webapi/lib/is_key_like.js
 var isCryptoKey = (key) => {
   if (key?.[Symbol.toStringTag] === "CryptoKey")
@@ -3104,7 +3100,34 @@ var isCryptoKey = (key) => {
   }
 }, isKeyObject = (key) => key?.[Symbol.toStringTag] === "KeyObject", isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);
-// ../../node_modules/jose/dist/webapi/lib/is_disjoint.js
+// ../../node_modules/jose/dist/webapi/lib/helpers.js
+function decodeBase64url(value, label, ErrorClass) {
+  try {
+    return decode(value);
+  } catch {
+    throw new ErrorClass(`Failed to base64url decode the ${label}`);
+  }
+}
+var unprotected;
+var init_helpers = __esm(() => {
+  init_base64url();
+  unprotected = Symbol();
+});
+// ../../node_modules/jose/dist/webapi/lib/type_checks.js
+function isObject(input) {
+  if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
+    return false;
+  }
+  if (Object.getPrototypeOf(input) === null) {
+    return true;
+  }
+  let proto = input;
+  while (Object.getPrototypeOf(proto) !== null) {
+    proto = Object.getPrototypeOf(proto);
+  }
+  return Object.getPrototypeOf(input) === proto;
+}
 function isDisjoint(...headers) {
   const sources = headers.filter(Boolean);
   if (sources.length === 0 || sources.length === 1) {
@@ -3126,24 +3149,9 @@ function isDisjoint(...headers) {
   }
   return true;
 }
+var isObjectLike = (value) => typeof value === "object" && value !== null, isJWK = (key) => isObject(key) && typeof key.kty === "string", isPrivateJWK = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string"), isPublicJWK = (key) => key.kty !== "oct" && key.d === undefined && key.priv === undefined, isSecretJWK = (key) => key.kty === "oct" && typeof key.k === "string";
-// ../../node_modules/jose/dist/webapi/lib/is_object.js
-function isObject(input) {
-  if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
-    return false;
-  }
-  if (Object.getPrototypeOf(input) === null) {
-    return true;
-  }
-  let proto = input;
-  while (Object.getPrototypeOf(proto) !== null) {
-    proto = Object.getPrototypeOf(proto);
-  }
-  return Object.getPrototypeOf(input) === proto;
-}
-var isObjectLike = (value) => typeof value === "object" && value !== null;
-// ../../node_modules/jose/dist/webapi/lib/check_key_length.js
+// ../../node_modules/jose/dist/webapi/lib/signing.js
 function checkKeyLength(alg, key) {
   if (alg.startsWith("RS") || alg.startsWith("PS")) {
     const { modulusLength } = key.algorithm;
@@ -3152,6 +3160,59 @@ function checkKeyLength(alg, key) {
     }
   }
 }
+function subtleAlgorithm(alg, algorithm) {
+  const hash = `SHA-${alg.slice(-3)}`;
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512":
+      return { hash, name: "HMAC" };
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      return { hash, name: "RSASSA-PKCS1-v1_5" };
+    case "ES256":
+    case "ES384":
+    case "ES512":
+      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
+    case "Ed25519":
+    case "EdDSA":
+      return { name: "Ed25519" };
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return { name: alg };
+    default:
+      throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
+  }
+}
+async function getSigKey(alg, key, usage) {
+  if (key instanceof Uint8Array) {
+    if (!alg.startsWith("HS")) {
+      throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
+    }
+    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
+  }
+  checkSigCryptoKey(key, alg, usage);
+  return key;
+}
+async function verify(alg, key, signature, data) {
+  const cryptoKey = await getSigKey(alg, key, "verify");
+  checkKeyLength(alg, cryptoKey);
+  const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);
+  try {
+    return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
+  } catch {
+    return false;
+  }
+}
+var init_signing = __esm(() => {
+  init_errors2();
+});
 // ../../node_modules/jose/dist/webapi/lib/jwk_to_key.js
 function subtleMapping(jwk) {
@@ -3167,7 +3228,7 @@ function subtleMapping(jwk) {
           keyUsages = jwk.priv ? ["sign"] : ["verify"];
           break;
         default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported(unsupportedAlg);
       }
       break;
     }
@@ -3196,22 +3257,19 @@ function subtleMapping(jwk) {
           keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
           break;
         default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported(unsupportedAlg);
       }
       break;
     }
     case "EC": {
       switch (jwk.alg) {
         case "ES256":
-          algorithm = { name: "ECDSA", namedCurve: "P-256" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
         case "ES384":
-          algorithm = { name: "ECDSA", namedCurve: "P-384" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
         case "ES512":
-          algorithm = { name: "ECDSA", namedCurve: "P-521" };
+          algorithm = {
+            name: "ECDSA",
+            namedCurve: { ES256: "P-256", ES384: "P-384", ES512: "P-521" }[jwk.alg]
+          };
           keyUsages = jwk.d ? ["sign"] : ["verify"];
           break;
         case "ECDH-ES":
@@ -3222,7 +3280,7 @@ function subtleMapping(jwk) {
           keyUsages = jwk.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported(unsupportedAlg);
       }
       break;
     }
@@ -3241,7 +3299,7 @@ function subtleMapping(jwk) {
           keyUsages = jwk.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported(unsupportedAlg);
       }
       break;
     }
@@ -3262,100 +3320,11 @@ async function jwkToKey(jwk) {
   delete keyData.use;
   return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
 }
+var unsupportedAlg = 'Invalid or unsupported JWK "alg" (Algorithm) Parameter value';
 var init_jwk_to_key = __esm(() => {
   init_errors2();
 });
-// ../../node_modules/jose/dist/webapi/key/import.js
-async function importJWK(jwk, alg, options) {
-  if (!isObject(jwk)) {
-    throw new TypeError("JWK must be an object");
-  }
-  let ext;
-  alg ??= jwk.alg;
-  ext ??= options?.extractable ?? jwk.ext;
-  switch (jwk.kty) {
-    case "oct":
-      if (typeof jwk.k !== "string" || !jwk.k) {
-        throw new TypeError('missing "k" (Key Value) Parameter value');
-      }
-      return decode(jwk.k);
-    case "RSA":
-      if ("oth" in jwk && jwk.oth !== undefined) {
-        throw new JOSENotSupported('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
-      }
-      return jwkToKey({ ...jwk, alg, ext });
-    case "AKP": {
-      if (typeof jwk.alg !== "string" || !jwk.alg) {
-        throw new TypeError('missing "alg" (Algorithm) Parameter value');
-      }
-      if (alg !== undefined && alg !== jwk.alg) {
-        throw new TypeError("JWK alg and alg option value mismatch");
-      }
-      return jwkToKey({ ...jwk, ext });
-    }
-    case "EC":
-    case "OKP":
-      return jwkToKey({ ...jwk, alg, ext });
-    default:
-      throw new JOSENotSupported('Unsupported "kty" (Key Type) Parameter value');
-  }
-}
-var init_import = __esm(() => {
-  init_base64url();
-  init_jwk_to_key();
-  init_errors2();
-});
-// ../../node_modules/jose/dist/webapi/lib/validate_crit.js
-function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
-  if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
-  }
-  if (!protectedHeader || protectedHeader.crit === undefined) {
-    return new Set;
-  }
-  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
-    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
-  }
-  let recognized;
-  if (recognizedOption !== undefined) {
-    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
-  } else {
-    recognized = recognizedDefault;
-  }
-  for (const parameter of protectedHeader.crit) {
-    if (!recognized.has(parameter)) {
-      throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
-    }
-    if (joseHeader[parameter] === undefined) {
-      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
-    }
-    if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
-      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
-    }
-  }
-  return new Set(protectedHeader.crit);
-}
-var init_validate_crit = __esm(() => {
-  init_errors2();
-});
-// ../../node_modules/jose/dist/webapi/lib/validate_algorithms.js
-function validateAlgorithms(option, algorithms) {
-  if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
-    throw new TypeError(`"${option}" option must be an array of strings`);
-  }
-  if (!algorithms) {
-    return;
-  }
-  return new Set(algorithms);
-}
-// ../../node_modules/jose/dist/webapi/lib/is_jwk.js
-var isJWK = (key) => isObject(key) && typeof key.kty === "string", isPrivateJWK = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string"), isPublicJWK = (key) => key.kty !== "oct" && key.d === undefined && key.priv === undefined, isSecretJWK = (key) => key.kty === "oct" && typeof key.k === "string";
-var init_is_jwk = () => {};
 // ../../node_modules/jose/dist/webapi/lib/normalize_key.js
 async function normalizeKey(key, alg) {
   if (key instanceof Uint8Array) {
@@ -3388,7 +3357,7 @@ async function normalizeKey(key, alg) {
   }
   throw new Error("unreachable");
 }
-var cache, handleJWK = async (key, jwk, alg, freeze = false) => {
+var unusableForAlg = "given KeyObject instance cannot be used for this algorithm", cache, handleJWK = async (key, jwk, alg, freeze = false) => {
   cache ||= new WeakMap;
   let cached = cache.get(key);
   if (cached?.[alg]) {
@@ -3420,13 +3389,13 @@ var cache, handleJWK = async (key, jwk, alg, freeze = false) => {
       case "ECDH-ES+A256KW":
         break;
       default:
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg);
     }
     cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ["deriveBits"]);
   }
   if (keyObject.asymmetricKeyType === "ed25519") {
     if (alg !== "EdDSA" && alg !== "Ed25519") {
-      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+      throw new TypeError(unusableForAlg);
     }
     cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
       isPublic ? "verify" : "sign"
@@ -3437,7 +3406,7 @@ var cache, handleJWK = async (key, jwk, alg, freeze = false) => {
     case "ml-dsa-65":
     case "ml-dsa-87": {
       if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg);
       }
       cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
         isPublic ? "verify" : "sign"
@@ -3466,7 +3435,7 @@ var cache, handleJWK = async (key, jwk, alg, freeze = false) => {
         hash = "SHA-512";
         break;
       default:
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg);
     }
     if (alg.startsWith("RSA-OAEP")) {
       return keyObject.toCryptoKey({
@@ -3487,21 +3456,10 @@ var cache, handleJWK = async (key, jwk, alg, freeze = false) => {
     ]);
     const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);
     if (!namedCurve) {
-      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-    }
-    if (alg === "ES256" && namedCurve === "P-256") {
-      cryptoKey = keyObject.toCryptoKey({
-        name: "ECDSA",
-        namedCurve
-      }, extractable, [isPublic ? "verify" : "sign"]);
-    }
-    if (alg === "ES384" && namedCurve === "P-384") {
-      cryptoKey = keyObject.toCryptoKey({
-        name: "ECDSA",
-        namedCurve
-      }, extractable, [isPublic ? "verify" : "sign"]);
+      throw new TypeError(unusableForAlg);
     }
-    if (alg === "ES512" && namedCurve === "P-521") {
+    const expectedCurve = { ES256: "P-256", ES384: "P-384", ES512: "P-521" };
+    if (expectedCurve[alg] && namedCurve === expectedCurve[alg]) {
       cryptoKey = keyObject.toCryptoKey({
         name: "ECDSA",
         namedCurve
@@ -3515,7 +3473,7 @@ var cache, handleJWK = async (key, jwk, alg, freeze = false) => {
     }
   }
   if (!cryptoKey) {
-    throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    throw new TypeError(unusableForAlg);
   }
   if (!cached) {
     cache.set(keyObject, { [alg]: cryptoKey });
@@ -3525,11 +3483,96 @@ var cache, handleJWK = async (key, jwk, alg, freeze = false) => {
   return cryptoKey;
 };
 var init_normalize_key = __esm(() => {
-  init_is_jwk();
   init_base64url();
   init_jwk_to_key();
 });
+// ../../node_modules/jose/dist/webapi/key/import.js
+async function importJWK(jwk, alg, options) {
+  if (!isObject(jwk)) {
+    throw new TypeError("JWK must be an object");
+  }
+  let ext;
+  alg ??= jwk.alg;
+  ext ??= options?.extractable ?? jwk.ext;
+  switch (jwk.kty) {
+    case "oct":
+      if (typeof jwk.k !== "string" || !jwk.k) {
+        throw new TypeError('missing "k" (Key Value) Parameter value');
+      }
+      return decode(jwk.k);
+    case "RSA":
+      if ("oth" in jwk && jwk.oth !== undefined) {
+        throw new JOSENotSupported('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+      }
+      return jwkToKey({ ...jwk, alg, ext });
+    case "AKP": {
+      if (typeof jwk.alg !== "string" || !jwk.alg) {
+        throw new TypeError('missing "alg" (Algorithm) Parameter value');
+      }
+      if (alg !== undefined && alg !== jwk.alg) {
+        throw new TypeError("JWK alg and alg option value mismatch");
+      }
+      return jwkToKey({ ...jwk, ext });
+    }
+    case "EC":
+    case "OKP":
+      return jwkToKey({ ...jwk, alg, ext });
+    default:
+      throw new JOSENotSupported('Unsupported "kty" (Key Type) Parameter value');
+  }
+}
+var init_import = __esm(() => {
+  init_base64url();
+  init_jwk_to_key();
+  init_errors2();
+});
+// ../../node_modules/jose/dist/webapi/lib/validate_crit.js
+function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
+  if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
+  }
+  if (!protectedHeader || protectedHeader.crit === undefined) {
+    return new Set;
+  }
+  if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
+    throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+  }
+  let recognized;
+  if (recognizedOption !== undefined) {
+    recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
+  } else {
+    recognized = recognizedDefault;
+  }
+  for (const parameter of protectedHeader.crit) {
+    if (!recognized.has(parameter)) {
+      throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
+    }
+    if (joseHeader[parameter] === undefined) {
+      throw new Err(`Extension Header Parameter "${parameter}" is missing`);
+    }
+    if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
+      throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
+    }
+  }
+  return new Set(protectedHeader.crit);
+}
+var init_validate_crit = __esm(() => {
+  init_errors2();
+});
+// ../../node_modules/jose/dist/webapi/lib/validate_algorithms.js
+function validateAlgorithms(option, algorithms) {
+  if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
+    throw new TypeError(`"${option}" option must be an array of strings`);
+  }
+  if (!algorithms) {
+    return;
+  }
+  return new Set(algorithms);
+}
 // ../../node_modules/jose/dist/webapi/lib/check_key_type.js
 function checkKeyType(alg, key, usage) {
   switch (alg.substring(0, 2)) {
@@ -3646,73 +3689,7 @@ var tag = (key) => key?.[Symbol.toStringTag], jwkMatchesOp = (alg, key, usage) =
     }
   }
 };
-var init_check_key_type = __esm(() => {
-  init_is_jwk();
-});
-// ../../node_modules/jose/dist/webapi/lib/subtle_dsa.js
-function subtleAlgorithm(alg, algorithm) {
-  const hash = `SHA-${alg.slice(-3)}`;
-  switch (alg) {
-    case "HS256":
-    case "HS384":
-    case "HS512":
-      return { hash, name: "HMAC" };
-    case "PS256":
-    case "PS384":
-    case "PS512":
-      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
-    case "RS256":
-    case "RS384":
-    case "RS512":
-      return { hash, name: "RSASSA-PKCS1-v1_5" };
-    case "ES256":
-    case "ES384":
-    case "ES512":
-      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
-    case "Ed25519":
-    case "EdDSA":
-      return { name: "Ed25519" };
-    case "ML-DSA-44":
-    case "ML-DSA-65":
-    case "ML-DSA-87":
-      return { name: alg };
-    default:
-      throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
-  }
-}
-var init_subtle_dsa = __esm(() => {
-  init_errors2();
-});
-// ../../node_modules/jose/dist/webapi/lib/get_sign_verify_key.js
-async function getSigKey(alg, key, usage) {
-  if (key instanceof Uint8Array) {
-    if (!alg.startsWith("HS")) {
-      throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
-    }
-    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
-  }
-  checkSigCryptoKey(key, alg, usage);
-  return key;
-}
-var init_get_sign_verify_key = () => {};
-// ../../node_modules/jose/dist/webapi/lib/verify.js
-async function verify(alg, key, signature, data) {
-  const cryptoKey = await getSigKey(alg, key, "verify");
-  checkKeyLength(alg, cryptoKey);
-  const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);
-  try {
-    return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
-  } catch {
-    return false;
-  }
-}
-var init_verify = __esm(() => {
-  init_subtle_dsa();
-  init_get_sign_verify_key();
-});
+var init_check_key_type = () => {};
 // ../../node_modules/jose/dist/webapi/jws/flattened/verify.js
 async function flattenedVerify(jws, key, options) {
@@ -3780,12 +3757,7 @@ async function flattenedVerify(jws, key, options) {
   }
   checkKeyType(alg, key, "verify");
   const data = concat(jws.protected !== undefined ? encode(jws.protected) : new Uint8Array, encode("."), typeof jws.payload === "string" ? b64 ? encode(jws.payload) : encoder.encode(jws.payload) : jws.payload);
-  let signature;
-  try {
-    signature = decode(jws.signature);
-  } catch {
-    throw new JWSInvalid("Failed to base64url decode the signature");
-  }
+  const signature = decodeBase64url(jws.signature, "signature", JWSInvalid);
   const k = await normalizeKey(key, alg);
   const verified = await verify(alg, k, signature, data);
   if (!verified) {
@@ -3793,11 +3765,7 @@ async function flattenedVerify(jws, key, options) {
   }
   let payload;
   if (b64) {
-    try {
-      payload = decode(jws.payload);
-    } catch {
-      throw new JWSInvalid("Failed to base64url decode the payload");
-    }
+    payload = decodeBase64url(jws.payload, "payload", JWSInvalid);
   } else if (typeof jws.payload === "string") {
     payload = encoder.encode(jws.payload);
   } else {
@@ -3815,11 +3783,12 @@ async function flattenedVerify(jws, key, options) {
   }
   return result;
 }
-var init_verify2 = __esm(() => {
+var init_verify = __esm(() => {
   init_base64url();
-  init_verify();
+  init_signing();
   init_errors2();
   init_buffer_utils();
+  init_helpers();
   init_check_key_type();
   init_validate_crit();
   init_normalize_key();
@@ -3844,8 +3813,8 @@ async function compactVerify(jws, key, options) {
   }
   return result;
 }
-var init_verify3 = __esm(() => {
-  init_verify2();
+var init_verify2 = __esm(() => {
+  init_verify();
   init_errors2();
   init_buffer_utils();
 });
@@ -4089,8 +4058,8 @@ async function jwtVerify(jwt, key, options) {
   }
   return result;
 }
-var init_verify4 = __esm(() => {
-  init_verify3();
+var init_verify3 = __esm(() => {
+  init_verify2();
   init_jwt_claims_set();
   init_errors2();
 });
@@ -4375,7 +4344,7 @@ var init_remote = __esm(() => {
   init_local();
   if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
     const NAME = "jose";
-    const VERSION = "v6.1.3";
+    const VERSION = "v6.2.1";
     USER_AGENT = `${NAME}/${VERSION}`;
   }
   customFetch = Symbol();
@@ -4384,7 +4353,7 @@ var init_remote = __esm(() => {
 // ../../node_modules/jose/dist/webapi/index.js
 var init_webapi = __esm(() => {
-  init_verify4();
+  init_verify3();
   init_local();
   init_remote();
   init_errors2();
@@ -12130,6 +12099,11 @@ function decode2(input) {
 function getHashLength2(hash) {
   return parseInt(hash.name.slice(4), 10);
 }
+function checkHashLength2(algorithm, expected) {
+  const actual = getHashLength2(algorithm.hash);
+  if (actual !== expected)
+    throw unusable2(`SHA-${expected}`, "algorithm.hash");
+}
 function getNamedCurve2(alg) {
   switch (alg) {
     case "ES256":
@@ -12154,10 +12128,7 @@ function checkSigCryptoKey2(key, alg, usage) {
     case "HS512": {
       if (!isAlgorithm2(key.algorithm, "HMAC"))
         throw unusable2("HMAC");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength2(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable2(`SHA-${expected}`, "algorithm.hash");
+      checkHashLength2(key.algorithm, parseInt(alg.slice(2), 10));
       break;
     }
     case "RS256":
@@ -12165,10 +12136,7 @@ function checkSigCryptoKey2(key, alg, usage) {
     case "RS512": {
       if (!isAlgorithm2(key.algorithm, "RSASSA-PKCS1-v1_5"))
         throw unusable2("RSASSA-PKCS1-v1_5");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength2(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable2(`SHA-${expected}`, "algorithm.hash");
+      checkHashLength2(key.algorithm, parseInt(alg.slice(2), 10));
       break;
     }
     case "PS256":
@@ -12176,10 +12144,7 @@ function checkSigCryptoKey2(key, alg, usage) {
     case "PS512": {
       if (!isAlgorithm2(key.algorithm, "RSA-PSS"))
         throw unusable2("RSA-PSS");
-      const expected = parseInt(alg.slice(2), 10);
-      const actual = getHashLength2(key.algorithm.hash);
-      if (actual !== expected)
-        throw unusable2(`SHA-${expected}`, "algorithm.hash");
+      checkHashLength2(key.algorithm, parseInt(alg.slice(2), 10));
       break;
     }
     case "Ed25519":
@@ -12232,6 +12197,26 @@ function message2(msg, actual, ...types2) {
   }
   return msg;
 }
+function decodeBase64url2(value, label, ErrorClass) {
+  try {
+    return decode2(value);
+  } catch {
+    throw new ErrorClass(`Failed to base64url decode the ${label}`);
+  }
+}
+function isObject2(input) {
+  if (!isObjectLike2(input) || Object.prototype.toString.call(input) !== "[object Object]") {
+    return false;
+  }
+  if (Object.getPrototypeOf(input) === null) {
+    return true;
+  }
+  let proto = input;
+  while (Object.getPrototypeOf(proto) !== null) {
+    proto = Object.getPrototypeOf(proto);
+  }
+  return Object.getPrototypeOf(input) === proto;
+}
 function isDisjoint2(...headers) {
   const sources = headers.filter(Boolean);
   if (sources.length === 0 || sources.length === 1) {
@@ -12253,19 +12238,6 @@ function isDisjoint2(...headers) {
   }
   return true;
 }
-function isObject2(input) {
-  if (!isObjectLike2(input) || Object.prototype.toString.call(input) !== "[object Object]") {
-    return false;
-  }
-  if (Object.getPrototypeOf(input) === null) {
-    return true;
-  }
-  let proto = input;
-  while (Object.getPrototypeOf(proto) !== null) {
-    proto = Object.getPrototypeOf(proto);
-  }
-  return Object.getPrototypeOf(input) === proto;
-}
 function checkKeyLength2(alg, key) {
   if (alg.startsWith("RS") || alg.startsWith("PS")) {
     const { modulusLength } = key.algorithm;
@@ -12274,6 +12246,56 @@ function checkKeyLength2(alg, key) {
     }
   }
 }
+function subtleAlgorithm2(alg, algorithm) {
+  const hash = `SHA-${alg.slice(-3)}`;
+  switch (alg) {
+    case "HS256":
+    case "HS384":
+    case "HS512":
+      return { hash, name: "HMAC" };
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      return { hash, name: "RSASSA-PKCS1-v1_5" };
+    case "ES256":
+    case "ES384":
+    case "ES512":
+      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
+    case "Ed25519":
+    case "EdDSA":
+      return { name: "Ed25519" };
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return { name: alg };
+    default:
+      throw new JOSENotSupported2(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
+  }
+}
+async function getSigKey2(alg, key, usage) {
+  if (key instanceof Uint8Array) {
+    if (!alg.startsWith("HS")) {
+      throw new TypeError(invalidKeyInput2(key, "CryptoKey", "KeyObject", "JSON Web Key"));
+    }
+    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
+  }
+  checkSigCryptoKey2(key, alg, usage);
+  return key;
+}
+async function verify2(alg, key, signature, data) {
+  const cryptoKey = await getSigKey2(alg, key, "verify");
+  checkKeyLength2(alg, cryptoKey);
+  const algorithm = subtleAlgorithm2(alg, cryptoKey.algorithm);
+  try {
+    return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
+  } catch {
+    return false;
+  }
+}
 function subtleMapping2(jwk) {
   let algorithm;
   let keyUsages;
@@ -12287,7 +12309,7 @@ function subtleMapping2(jwk) {
           keyUsages = jwk.priv ? ["sign"] : ["verify"];
           break;
         default:
-          throw new JOSENotSupported2('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported2(unsupportedAlg2);
       }
       break;
     }
@@ -12316,22 +12338,19 @@ function subtleMapping2(jwk) {
           keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
           break;
         default:
-          throw new JOSENotSupported2('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported2(unsupportedAlg2);
       }
       break;
     }
     case "EC": {
       switch (jwk.alg) {
         case "ES256":
-          algorithm = { name: "ECDSA", namedCurve: "P-256" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
         case "ES384":
-          algorithm = { name: "ECDSA", namedCurve: "P-384" };
-          keyUsages = jwk.d ? ["sign"] : ["verify"];
-          break;
         case "ES512":
-          algorithm = { name: "ECDSA", namedCurve: "P-521" };
+          algorithm = {
+            name: "ECDSA",
+            namedCurve: { ES256: "P-256", ES384: "P-384", ES512: "P-521" }[jwk.alg]
+          };
           keyUsages = jwk.d ? ["sign"] : ["verify"];
           break;
         case "ECDH-ES":
@@ -12342,7 +12361,7 @@ function subtleMapping2(jwk) {
           keyUsages = jwk.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new JOSENotSupported2('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported2(unsupportedAlg2);
       }
       break;
     }
@@ -12361,7 +12380,7 @@ function subtleMapping2(jwk) {
           keyUsages = jwk.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new JOSENotSupported2('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new JOSENotSupported2(unsupportedAlg2);
       }
       break;
     }
@@ -12382,6 +12401,37 @@ async function jwkToKey2(jwk) {
   delete keyData.use;
   return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
 }
+async function normalizeKey2(key, alg) {
+  if (key instanceof Uint8Array) {
+    return key;
+  }
+  if (isCryptoKey2(key)) {
+    return key;
+  }
+  if (isKeyObject2(key)) {
+    if (key.type === "secret") {
+      return key.export();
+    }
+    if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") {
+      try {
+        return handleKeyObject2(key, alg);
+      } catch (err) {
+        if (err instanceof TypeError) {
+          throw err;
+        }
+      }
+    }
+    let jwk = key.export({ format: "jwk" });
+    return handleJWK2(key, jwk, alg);
+  }
+  if (isJWK2(key)) {
+    if (key.k) {
+      return decode2(key.k);
+    }
+    return handleJWK2(key, key, alg, true);
+  }
+  throw new Error("unreachable");
+}
 async function importJWK2(jwk, alg, options) {
   if (!isObject2(jwk)) {
     throw new TypeError("JWK must be an object");
@@ -12454,37 +12504,6 @@ function validateAlgorithms2(option, algorithms) {
   }
   return new Set(algorithms);
 }
-async function normalizeKey2(key, alg) {
-  if (key instanceof Uint8Array) {
-    return key;
-  }
-  if (isCryptoKey2(key)) {
-    return key;
-  }
-  if (isKeyObject2(key)) {
-    if (key.type === "secret") {
-      return key.export();
-    }
-    if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") {
-      try {
-        return handleKeyObject2(key, alg);
-      } catch (err) {
-        if (err instanceof TypeError) {
-          throw err;
-        }
-      }
-    }
-    let jwk = key.export({ format: "jwk" });
-    return handleJWK2(key, jwk, alg);
-  }
-  if (isJWK2(key)) {
-    if (key.k) {
-      return decode2(key.k);
-    }
-    return handleJWK2(key, key, alg, true);
-  }
-  throw new Error("unreachable");
-}
 function checkKeyType2(alg, key, usage) {
   switch (alg.substring(0, 2)) {
     case "A1":
@@ -12498,56 +12517,6 @@ function checkKeyType2(alg, key, usage) {
       asymmetricTypeCheck2(alg, key, usage);
   }
 }
-function subtleAlgorithm2(alg, algorithm) {
-  const hash = `SHA-${alg.slice(-3)}`;
-  switch (alg) {
-    case "HS256":
-    case "HS384":
-    case "HS512":
-      return { hash, name: "HMAC" };
-    case "PS256":
-    case "PS384":
-    case "PS512":
-      return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 };
-    case "RS256":
-    case "RS384":
-    case "RS512":
-      return { hash, name: "RSASSA-PKCS1-v1_5" };
-    case "ES256":
-    case "ES384":
-    case "ES512":
-      return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve };
-    case "Ed25519":
-    case "EdDSA":
-      return { name: "Ed25519" };
-    case "ML-DSA-44":
-    case "ML-DSA-65":
-    case "ML-DSA-87":
-      return { name: alg };
-    default:
-      throw new JOSENotSupported2(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
-  }
-}
-async function getSigKey2(alg, key, usage) {
-  if (key instanceof Uint8Array) {
-    if (!alg.startsWith("HS")) {
-      throw new TypeError(invalidKeyInput2(key, "CryptoKey", "KeyObject", "JSON Web Key"));
-    }
-    return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]);
-  }
-  checkSigCryptoKey2(key, alg, usage);
-  return key;
-}
-async function verify2(alg, key, signature, data) {
-  const cryptoKey = await getSigKey2(alg, key, "verify");
-  checkKeyLength2(alg, cryptoKey);
-  const algorithm = subtleAlgorithm2(alg, cryptoKey.algorithm);
-  try {
-    return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
-  } catch {
-    return false;
-  }
-}
 async function flattenedVerify2(jws, key, options) {
   if (!isObject2(jws)) {
     throw new JWSInvalid2("Flattened JWS must be an object");
@@ -12613,12 +12582,7 @@ async function flattenedVerify2(jws, key, options) {
   }
   checkKeyType2(alg, key, "verify");
   const data = concat2(jws.protected !== undefined ? encode2(jws.protected) : new Uint8Array, encode2("."), typeof jws.payload === "string" ? b64 ? encode2(jws.payload) : encoder2.encode(jws.payload) : jws.payload);
-  let signature;
-  try {
-    signature = decode2(jws.signature);
-  } catch {
-    throw new JWSInvalid2("Failed to base64url decode the signature");
-  }
+  const signature = decodeBase64url2(jws.signature, "signature", JWSInvalid2);
   const k = await normalizeKey2(key, alg);
   const verified = await verify2(alg, k, signature, data);
   if (!verified) {
@@ -12626,11 +12590,7 @@ async function flattenedVerify2(jws, key, options) {
   }
   let payload;
   if (b64) {
-    try {
-      payload = decode2(jws.payload);
-    } catch {
-      throw new JWSInvalid2("Failed to base64url decode the payload");
-    }
+    payload = decodeBase64url2(jws.payload, "payload", JWSInvalid2);
   } else if (typeof jws.payload === "string") {
     payload = encoder2.encode(jws.payload);
   } else {
@@ -18382,7 +18342,7 @@ var __defProp11, __returnValue2 = (v2) => v2, __export2 = (target, all) => {
   func.exportReturns = exportReturns2(functionDefinition);
   func._handler = handler;
   return func;
-}, init_registration_impl2, paginationOptsValidator2, init_pagination2, init_server2, UdfAnalysisError2, init_udf_analyze2, init_analysis2, moduleAnalysisCache2, moduleLoaderApiPromise2 = null, unsubscribeModuleLoader2 = null, init_function_introspection2, MAX_ENTRIES2 = 1000, defaultSink2, init_execution_log2, encoder2, decoder2, MAX_INT322, init_buffer_utils2, init_base64url2, exports_errors2, JOSEError2, JWTClaimValidationFailed2, JWTExpired2, JOSEAlgNotAllowed2, JOSENotSupported2, JWEDecryptionFailed2, JWEInvalid2, JWSInvalid2, JWTInvalid2, JWKInvalid2, JWKSInvalid2, JWKSNoMatchingKey2, JWKSMultipleMatchingKeys2, JWKSTimeout2, JWSSignatureVerificationFailed2, init_errors22, unusable2 = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`), isAlgorithm2 = (algorithm, name) => algorithm.name === name, invalidKeyInput2 = (actual, ...types2) => message2("Key must be ", actual, ...types2), withAlg2 = (alg, actual, ...types2) => message2(`Key for the ${alg} algorithm must be `, actual, ...types2), isCryptoKey2 = (key) => {
+}, init_registration_impl2, paginationOptsValidator2, init_pagination2, init_server2, UdfAnalysisError2, init_udf_analyze2, init_analysis2, moduleAnalysisCache2, moduleLoaderApiPromise2 = null, unsubscribeModuleLoader2 = null, init_function_introspection2, MAX_ENTRIES2 = 1000, defaultSink2, init_execution_log2, encoder2, decoder2, MAX_INT322, init_buffer_utils2, init_base64url2, unusable2 = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`), isAlgorithm2 = (algorithm, name) => algorithm.name === name, invalidKeyInput2 = (actual, ...types2) => message2("Key must be ", actual, ...types2), withAlg2 = (alg, actual, ...types2) => message2(`Key for the ${alg} algorithm must be `, actual, ...types2), exports_errors2, JOSEError2, JWTClaimValidationFailed2, JWTExpired2, JOSEAlgNotAllowed2, JOSENotSupported2, JWEDecryptionFailed2, JWEInvalid2, JWSInvalid2, JWTInvalid2, JWKInvalid2, JWKSInvalid2, JWKSNoMatchingKey2, JWKSMultipleMatchingKeys2, JWKSTimeout2, JWSSignatureVerificationFailed2, init_errors22, isCryptoKey2 = (key) => {
   if (key?.[Symbol.toStringTag] === "CryptoKey")
     return true;
   try {
@@ -18390,7 +18350,7 @@ var __defProp11, __returnValue2 = (v2) => v2, __export2 = (target, all) => {
   } catch {
     return false;
   }
-}, isKeyObject2 = (key) => key?.[Symbol.toStringTag] === "KeyObject", isKeyLike2 = (key) => isCryptoKey2(key) || isKeyObject2(key), isObjectLike2 = (value) => typeof value === "object" && value !== null, init_jwk_to_key2, init_import2, init_validate_crit2, isJWK2 = (key) => isObject2(key) && typeof key.kty === "string", isPrivateJWK2 = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string"), isPublicJWK2 = (key) => key.kty !== "oct" && key.d === undefined && key.priv === undefined, isSecretJWK2 = (key) => key.kty === "oct" && typeof key.k === "string", init_is_jwk2 = () => {}, cache2, handleJWK2 = async (key, jwk, alg, freeze = false) => {
+}, isKeyObject2 = (key) => key?.[Symbol.toStringTag] === "KeyObject", isKeyLike2 = (key) => isCryptoKey2(key) || isKeyObject2(key), unprotected2, init_helpers2, isObjectLike2 = (value) => typeof value === "object" && value !== null, isJWK2 = (key) => isObject2(key) && typeof key.kty === "string", isPrivateJWK2 = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string"), isPublicJWK2 = (key) => key.kty !== "oct" && key.d === undefined && key.priv === undefined, isSecretJWK2 = (key) => key.kty === "oct" && typeof key.k === "string", init_signing2, unsupportedAlg2 = 'Invalid or unsupported JWK "alg" (Algorithm) Parameter value', init_jwk_to_key2, unusableForAlg2 = "given KeyObject instance cannot be used for this algorithm", cache2, handleJWK2 = async (key, jwk, alg, freeze = false) => {
   cache2 ||= new WeakMap;
   let cached = cache2.get(key);
   if (cached?.[alg]) {
@@ -18422,13 +18382,13 @@ var __defProp11, __returnValue2 = (v2) => v2, __export2 = (target, all) => {
       case "ECDH-ES+A256KW":
         break;
       default:
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg2);
     }
     cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ["deriveBits"]);
   }
   if (keyObject.asymmetricKeyType === "ed25519") {
     if (alg !== "EdDSA" && alg !== "Ed25519") {
-      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+      throw new TypeError(unusableForAlg2);
     }
     cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
       isPublic ? "verify" : "sign"
@@ -18439,7 +18399,7 @@ var __defProp11, __returnValue2 = (v2) => v2, __export2 = (target, all) => {
     case "ml-dsa-65":
     case "ml-dsa-87": {
       if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg2);
       }
       cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
         isPublic ? "verify" : "sign"
@@ -18468,7 +18428,7 @@ var __defProp11, __returnValue2 = (v2) => v2, __export2 = (target, all) => {
         hash = "SHA-512";
         break;
       default:
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        throw new TypeError(unusableForAlg2);
     }
     if (alg.startsWith("RSA-OAEP")) {
       return keyObject.toCryptoKey({
@@ -18489,21 +18449,10 @@ var __defProp11, __returnValue2 = (v2) => v2, __export2 = (target, all) => {
     ]);
     const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);
     if (!namedCurve) {
-      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-    }
-    if (alg === "ES256" && namedCurve === "P-256") {
-      cryptoKey = keyObject.toCryptoKey({
-        name: "ECDSA",
-        namedCurve
-      }, extractable, [isPublic ? "verify" : "sign"]);
-    }
-    if (alg === "ES384" && namedCurve === "P-384") {
-      cryptoKey = keyObject.toCryptoKey({
-        name: "ECDSA",
-        namedCurve
-      }, extractable, [isPublic ? "verify" : "sign"]);
+      throw new TypeError(unusableForAlg2);
     }
-    if (alg === "ES512" && namedCurve === "P-521") {
+    const expectedCurve = { ES256: "P-256", ES384: "P-384", ES512: "P-521" };
+    if (expectedCurve[alg] && namedCurve === expectedCurve[alg]) {
       cryptoKey = keyObject.toCryptoKey({
         name: "ECDSA",
         namedCurve
@@ -18517,7 +18466,7 @@ var __defProp11, __returnValue2 = (v2) => v2, __export2 = (target, all) => {
     }
   }
   if (!cryptoKey) {
-    throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    throw new TypeError(unusableForAlg2);
   }
   if (!cached) {
     cache2.set(keyObject, { [alg]: cryptoKey });
@@ -18525,7 +18474,7 @@ var __defProp11, __returnValue2 = (v2) => v2, __export2 = (target, all) => {
     cached[alg] = cryptoKey;
   }
   return cryptoKey;
-}, init_normalize_key2, tag2 = (key) => key?.[Symbol.toStringTag], jwkMatchesOp2 = (alg, key, usage) => {
+}, init_normalize_key2, init_import2, init_validate_crit2, tag2 = (key) => key?.[Symbol.toStringTag], jwkMatchesOp2 = (alg, key, usage) => {
   if (key.use !== undefined) {
     let expected;
     switch (usage) {
@@ -18626,7 +18575,7 @@ var __defProp11, __returnValue2 = (v2) => v2, __export2 = (target, all) => {
         throw new TypeError(`${tag2(key)} instances for asymmetric algorithm encryption must be of type "public"`);
     }
   }
-}, init_check_key_type2, init_subtle_dsa2, init_get_sign_verify_key2 = () => {}, init_verify5, init_verify22, init_verify32, epoch2 = (date) => Math.floor(date.getTime() / 1000), minute2 = 60, hour2, day2, week2, year2, REGEX2, normalizeTyp2 = (value) => {
+}, init_check_key_type2 = () => {}, init_verify4, init_verify22, epoch2 = (date) => Math.floor(date.getTime() / 1000), minute2 = 60, hour2, day2, week2, year2, REGEX2, normalizeTyp2 = (value) => {
   if (value.includes("/")) {
     return value.toLowerCase();
   }
@@ -18639,7 +18588,7 @@ var __defProp11, __returnValue2 = (v2) => v2, __export2 = (target, all) => {
     return audOption.some(Set.prototype.has.bind(new Set(audPayload)));
   }
   return false;
-}, init_jwt_claims_set2, init_verify42, init_local2, USER_AGENT2, customFetch2, jwksCache2, init_remote2, init_webapi2, JWTValidationError2, AdminAuthError2, SystemAuthError2, DEFAULT_CLOCK_TOLERANCE_SECONDS2 = 60, DEFAULT_JWKS_CACHE_TTL_MS2, MAX_JWKS_CACHE_TTL_MS2, JWKS_CACHE2, init_jwt2, AUTH_CONTEXT_SYMBOL2, PRINCIPAL_CONTEXT_SYMBOL2, globalAuthContext2, authContext2, principalContext2, init_auth_context2, MANAGEMENT_CAPABILITIES2, init_auth_resolver2, ALLOWED2, defaultAuthorizationPolicy2, init_authorization_policy2, init_auth_config_service2, init_auth2, COMPONENT_MANIFEST_SYMBOL2, init_manifest2, init_id_codec2, SYSTEM_METADATA_GLOBAL_KEY2 = "concave:system_metadata:v1", TABLE_NUMBER_RESERVATION_GLOBAL_PREFIX2 = "concave:table_number:", SYSTEM_TABLE_DEFINITIONS2, init_system_tables2, init_internal2, exports_system_functions_module2, systemFunctions2, init_system_functions_module2, exports_module_loader2, MODULE_STATE_SYMBOL2, MODULE_LOADER_METADATA_SYMBOL2, MODULE_REGISTRY_CONTEXT2, builtInSystemFunctionsModulePromise2, browserConvexFunctionsAllowed2 = false, init_module_loader2, ValidatorError2, init_validator22, Order2, SEARCH_INDEXES_FTS_SCHEMA2 = `
+}, init_jwt_claims_set2, init_verify32, init_local2, USER_AGENT2, customFetch2, jwksCache2, init_remote2, init_webapi2, JWTValidationError2, AdminAuthError2, SystemAuthError2, DEFAULT_CLOCK_TOLERANCE_SECONDS2 = 60, DEFAULT_JWKS_CACHE_TTL_MS2, MAX_JWKS_CACHE_TTL_MS2, JWKS_CACHE2, init_jwt2, AUTH_CONTEXT_SYMBOL2, PRINCIPAL_CONTEXT_SYMBOL2, globalAuthContext2, authContext2, principalContext2, init_auth_context2, MANAGEMENT_CAPABILITIES2, init_auth_resolver2, ALLOWED2, defaultAuthorizationPolicy2, init_authorization_policy2, init_auth_config_service2, init_auth2, COMPONENT_MANIFEST_SYMBOL2, init_manifest2, init_id_codec2, SYSTEM_METADATA_GLOBAL_KEY2 = "concave:system_metadata:v1", TABLE_NUMBER_RESERVATION_GLOBAL_PREFIX2 = "concave:table_number:", SYSTEM_TABLE_DEFINITIONS2, init_system_tables2, init_internal2, exports_system_functions_module2, systemFunctions2, init_system_functions_module2, exports_module_loader2, MODULE_STATE_SYMBOL2, MODULE_LOADER_METADATA_SYMBOL2, MODULE_REGISTRY_CONTEXT2, builtInSystemFunctionsModulePromise2, browserConvexFunctionsAllowed2 = false, init_module_loader2, ValidatorError2, init_validator22, Order2, SEARCH_INDEXES_FTS_SCHEMA2 = `
   CREATE VIRTUAL TABLE IF NOT EXISTS search_indexes USING fts5(
     index_id UNINDEXED,
     document_id UNINDEXED,
@@ -19702,8 +19651,8 @@ var init_dist = __esm(() => {
     JOSEError2 = class JOSEError3 extends Error {
       static code = "ERR_JOSE_GENERIC";
       code = "ERR_JOSE_GENERIC";
-      constructor(message2, options) {
-        super(message2, options);
+      constructor(message22, options) {
+        super(message22, options);
         this.name = this.constructor.name;
         Error.captureStackTrace?.(this, this.constructor);
       }
@@ -19714,8 +19663,8 @@ var init_dist = __esm(() => {
       claim;
       reason;
       payload;
-      constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
-        super(message2, { cause: { claim, reason, payload } });
+      constructor(message22, payload, claim = "unspecified", reason = "unspecified") {
+        super(message22, { cause: { claim, reason, payload } });
         this.claim = claim;
         this.reason = reason;
         this.payload = payload;
@@ -19727,8 +19676,8 @@ var init_dist = __esm(() => {
       claim;
       reason;
       payload;
-      constructor(message2, payload, claim = "unspecified", reason = "unspecified") {
-        super(message2, { cause: { claim, reason, payload } });
+      constructor(message22, payload, claim = "unspecified", reason = "unspecified") {
+        super(message22, { cause: { claim, reason, payload } });
         this.claim = claim;
         this.reason = reason;
         this.payload = payload;
@@ -19745,8 +19694,8 @@ var init_dist = __esm(() => {
     JWEDecryptionFailed2 = class JWEDecryptionFailed3 extends JOSEError2 {
       static code = "ERR_JWE_DECRYPTION_FAILED";
       code = "ERR_JWE_DECRYPTION_FAILED";
-      constructor(message2 = "decryption operation failed", options) {
-        super(message2, options);
+      constructor(message22 = "decryption operation failed", options) {
+        super(message22, options);
       }
     };
     JWEInvalid2 = class JWEInvalid3 extends JOSEError2 {
@@ -19772,70 +19721,67 @@ var init_dist = __esm(() => {
     JWKSNoMatchingKey2 = class JWKSNoMatchingKey3 extends JOSEError2 {
       static code = "ERR_JWKS_NO_MATCHING_KEY";
       code = "ERR_JWKS_NO_MATCHING_KEY";
-      constructor(message2 = "no applicable key found in the JSON Web Key Set", options) {
-        super(message2, options);
+      constructor(message22 = "no applicable key found in the JSON Web Key Set", options) {
+        super(message22, options);
       }
     };
     JWKSMultipleMatchingKeys2 = class JWKSMultipleMatchingKeys3 extends JOSEError2 {
       [Symbol.asyncIterator];
       static code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
       code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
-      constructor(message2 = "multiple matching keys found in the JSON Web Key Set", options) {
-        super(message2, options);
+      constructor(message22 = "multiple matching keys found in the JSON Web Key Set", options) {
+        super(message22, options);
       }
     };
     JWKSTimeout2 = class JWKSTimeout3 extends JOSEError2 {
       static code = "ERR_JWKS_TIMEOUT";
       code = "ERR_JWKS_TIMEOUT";
-      constructor(message2 = "request timed out", options) {
-        super(message2, options);
+      constructor(message22 = "request timed out", options) {
+        super(message22, options);
       }
     };
     JWSSignatureVerificationFailed2 = class JWSSignatureVerificationFailed3 extends JOSEError2 {
       static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
       code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
-      constructor(message2 = "signature verification failed", options) {
-        super(message2, options);
+      constructor(message22 = "signature verification failed", options) {
+        super(message22, options);
       }
     };
   });
-  init_jwk_to_key2 = __esm2(() => {
-    init_errors22();
-  });
-  init_import2 = __esm2(() => {
+  init_helpers2 = __esm2(() => {
     init_base64url2();
-    init_jwk_to_key2();
+    unprotected2 = Symbol();
+  });
+  init_signing2 = __esm2(() => {
     init_errors22();
   });
-  init_validate_crit2 = __esm2(() => {
+  init_jwk_to_key2 = __esm2(() => {
     init_errors22();
   });
   init_normalize_key2 = __esm2(() => {
-    init_is_jwk2();
     init_base64url2();
     init_jwk_to_key2();
   });
-  init_check_key_type2 = __esm2(() => {
-    init_is_jwk2();
-  });
-  init_subtle_dsa2 = __esm2(() => {
+  init_import2 = __esm2(() => {
+    init_base64url2();
+    init_jwk_to_key2();
     init_errors22();
   });
-  init_verify5 = __esm2(() => {
-    init_subtle_dsa2();
-    init_get_sign_verify_key2();
+  init_validate_crit2 = __esm2(() => {
+    init_errors22();
   });
-  init_verify22 = __esm2(() => {
+  init_verify4 = __esm2(() => {
     init_base64url2();
-    init_verify5();
+    init_signing2();
     init_errors22();
     init_buffer_utils2();
+    init_helpers2();
     init_check_key_type2();
     init_validate_crit2();
     init_normalize_key2();
   });
-  init_verify32 = __esm2(() => {
-    init_verify22();
+  init_verify22 = __esm2(() => {
+    init_verify4();
     init_errors22();
     init_buffer_utils2();
   });
@@ -19848,8 +19794,8 @@ var init_dist = __esm(() => {
     year2 = day2 * 365.25;
     REGEX2 = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
   });
-  init_verify42 = __esm2(() => {
-    init_verify32();
+  init_verify32 = __esm2(() => {
+    init_verify22();
     init_jwt_claims_set2();
     init_errors22();
   });
@@ -19862,14 +19808,14 @@ var init_dist = __esm(() => {
     init_local2();
     if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
       const NAME = "jose";
-      const VERSION = "v6.1.3";
+      const VERSION = "v6.2.1";
       USER_AGENT2 = `${NAME}/${VERSION}`;
     }
     customFetch2 = Symbol();
     jwksCache2 = Symbol();
   });
   init_webapi2 = __esm2(() => {
-    init_verify42();
+    init_verify32();
     init_local2();
     init_remote2();
     init_errors22();
@@ -25970,6 +25916,27 @@ function notFoundHttpResponse() {
     }
   });
 }
+function isMissingModuleError(error, moduleName) {
+  if (!error) {
+    return false;
+  }
+  const errorString = String(error);
+  const moduleSpecifiers = [moduleName, `convex/${moduleName}`];
+  const hasDirectMissingMessage = moduleSpecifiers.some((specifier) => errorString.includes(`Module not found: ${specifier}`));
+  if (hasDirectMissingMessage || errorString.toLowerCase().includes("failed to load convex module")) {
+    return true;
+  }
+  const hasResolutionMessage = moduleSpecifiers.some((specifier) => errorString.includes(`Unable to resolve module "${specifier}"`));
+  const causes = error.causes;
+  if (Array.isArray(causes) && causes.length > 0) {
+    return hasResolutionMessage ? causes.every((cause2) => isMissingModuleError(cause2, moduleName)) : causes.some((cause2) => isMissingModuleError(cause2, moduleName));
+  }
+  const cause = error.cause;
+  if (cause) {
+    return isMissingModuleError(cause, moduleName);
+  }
+  return hasResolutionMessage;
+}
 function getHttpRouteRank(routePath) {
   if (routePath.endsWith("*")) {
     return { kind: 0, length: routePath.length - 1 };
@@ -26141,8 +26108,7 @@ class InlineUdfExecutor {
     try {
       return await loadConvexModule(moduleName, { componentPath });
     } catch (error) {
-      const message2 = error?.message?.toLowerCase();
-      if (message2 && (message2.includes("module not found") || message2.includes("failed to load convex module"))) {
+      if (isMissingModuleError(error, moduleName)) {
         throw new Error(`UDF module not found: ${moduleName}`);
       }
       throw error;